Alteon

TM
Alteon Switched Firewall 4.0.2
Hardware Installation
Guide
part number: 217016-A, November 2004
4655 Great America Parkway

Santa Clara, CA 95054
Phone 1-800-4Nortel
http://www.nortelnetworks.com
Alteon Switched Firewall 4.0.2 Hardware Installation Guide
Copyright 2004 Nortel Networks, Inc.,4655 Great America Parkway, Santa Clara, California 95054, USA.
All rights reserved. Part Number: 217016-A, Revision A.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and decompilation. No part of this document may be reproduced in any form by any means
without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without
warranty of any kind, either express or implied, including any kind of implied or express warranty of non-
infringement or the implied warranties of merchantability or fitness for a particular purpose.
U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR
2.101 (Oct 1995) and contains “commercial technical data” and “commercial software documentation” as
those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this
documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR
12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995).
Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without
notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products
described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of
this product does not convey a license under any patent rights, trademark rights, or any other intellectual
property rights of Nortel Networks, Inc.
Alteon, Alteon Switched Firewall, Alteon 5008, 5010, 5014, 5300, 5400, 5600, 5700, 6400, 5308, 5408,
5610, 5710, 6414, Alteon Firewall Director, Firewall OS, Alteon SFA, Alteon Firewall Accelerator, and
Alteon Accelerator OS are trademarks of Nortel Networks, Inc. in the United States and certain other
countries. Any other trademarks appearing in this manual are owned by their respective companies.
Check Point, SecureXL, and SmartCenter, are trademarks of Check Point Software Technologies Ltd.
FireWall-1 and VPN-1 are a registered trademark of Check Point Software Technologies Ltd. Any other
trademarks appearing in this manual are owned by their respective companies.
Portions of this manual are Copyright © 2001 Dell Computer Corporation. All Rights Reserved.
Originated in the USA.
Export
This product, software and related technology is subject to U.S. export control and may be subject to export
or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations.
A license to export or reexport may be required by the U.S. Department of Commerce.
Licensing
This product includes software developed by Check Point Software Technologies

(http://www.checkpoint.com). This product also contains software developed by other parties.
2
217016-A, November 2004
Regulatory Compliance
International regulatory statements of conformity

This is to certify that the Nortel Networks 8000 Series chassis and components installed within the chassis
were evaluated to the international regulatory standards for electromagnetic compliance (EMC) and safety
and were found to have met the requirements for the following international standards:
EMC - Electromagnetic Emissions – CISPR 22, Class A
EMC - Electromagnetic Immunity – CISPR 24
Electrical Safety – IEC 60950, with CB member national deviations
Further, the equipment has been certified as compliant with the national standards as detailed below.
National electromagnetic compliance (EMC) statements of compliance

FCC statement (USA only)
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to Part 15 of the Federal Communications Commission (FCC) rules. These limits are designed to provide
reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio frequency energy. If it is not installed
and used in accordance with the instruction manual, it may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference,
in which case users will be required to take whatever measures may be necessary to correct the interference
at their own expense.
ICES statement (Canada only)

Canadian Department of Communications Radio Interference Regulations
This digital apparatus does not exceed the Class A limits for radio-noise emissions from digital apparatus
as set out in the Radio Interference Regulations of the Canadian Department of Communications.
Règlement sur le brouillage radioélectrique du ministère des Communications
Cet appareil numérique respecte les limites de bruits radioélectriques visant les appareils numériques de
classe A prescrites dans le Règlement sur le brouillage radioélectrique du ministère des Communications
du Canada.
CE marking statement (Europe only)

EN 55 022 statements
This is to certify that the Nortel Networks equipment are shielded against the generation of radio
interference in accordance with the application of Council Directive 89/336/EEC. Conformity is declared
by the application of EN 55 022 Class A (CISPR 22).
Warning: This is a Class A product. In a domestic environment, this product may cause radio interference,
in which case, the user may be required to take appropriate measures.
3
217016-A, November 2004
Achtung: Dieses ist ein Gerät der Funkstörgrenzwertklasse A. In Wohnbereichen können bei Betrieb
dieses Gerätes Rundfunkstörungen auftreten, in welchen Fällen der Benutzer für entsprechende
Gegenmaßnahmen verantwortlich ist.
Attention: Ceci est un produit de Classe A. Dans un environnement domestique, ce produit risque de créer
des interférences radioélectriques, il appartiendra alors à l’utilisateur de prendre les mesures spécifiques
appropriées.
EN 55 024 statement
This is to certify that the Nortel Networks equipment is shielded against the susceptibility to radio
interference in accordance with the application of Council Directive 89/336/EEC. Conformity is declared
by the application of
EN 55 024 (CISPR 24).
EC Declaration of Conformity
This product conforms to the provisions of the R&TTE Directive 1999/5/EC.
VCCI statement (Japan/Nippon only)

This is a Class A product based on the standard of the Voluntary Control Council for Interference (VCCI)
for information technology equipment. If this equipment is used in a domestic environment, radio
disturbance may arise. When such trouble occurs, the user may be required to take corrective actions.
BSMI statement (Taiwan only)

This is a Class A product based on the standard of the Bureau of Standards, Metrology and Inspection
(BSMI) CNS 13438, Class A.
MIC notice (Republic of Korea only)

This device has been approved for use in Business applications only per the Class A requirements of the
Republic of Korea Ministry of Information and Communications (MIC). This device may not be sold for
use in a non-business application. Reference Regulatory label on the base of the equipment for specific
Korean approval information.
National safety statements of compliance
4
217016-A, November 2004
CE marking statement (Europe only)

EN 60 950 statement
This is to certify that the Nortel Networks equipment are in compliance with the requirements of EN 60
950 in accordance with the Low Voltage Directive. Additional national differences for all European Union
countries have been evaluated for compliance. Some components installed within the 8000 Series chassis
may use a nickel-metal hydride (NiMH) and/or lithium-ion battery. The NiMH and lithium-ion batteries
are long-life batteries, and it is very possible that you will never need to replace them. However, should you
need to replace them, refer to the individual component manual for directions on replacement and disposal
of the battery.
Lithium Battery Cautions
Caution—This product contains a lithium battery. Batteries are not customer replaceable parts. They may
explode if mishandled. Do not dispose of the battery in fire. Do not disassemble or recharge.
(Norge) ADVARSEL—Litiumbatteri - Eksplosjonsfare. Ved utskifting benyttes kun batteri som anbefalt
av apparatfabrikanten. Brukt batteri returneres apparatleverandøren.
(Sverige) VARNING—Explosionsfara vid felaktigt batteribyte. Använd samma batterityp eller en
ekvivalent typ som rekommenderas av apparattillverkaren. Kassera använt batteri enligt fabrikantens
instruktion.
(Danmark) ADVARSEL! Litiumbatteri - Eksplosionsfare ved fejlagtig håndtering. Udskiftning må kun

ske med batteri af samme fabrikat og type. Levér det brugte batteri tilbage til leverandøren.
(Suomi) VAROITUS—Paristo voi räjähtää, jos se on virheellisesti asennettu. Vaihda paristo ainoastaan
laitevalmistajan suosittelemaan tyyppiin. Hävitä käytetty paristo valmistajan ohjeiden mukaisesti.
Safety Information
Caution—Nortel Networks products are designed to work with single-phase power systems having a
grounded neutral conductor. To reduce the risk of electric shock, do not plug Nortel Networks products into
any other type of power system. Contact your facilities manager or a qualified electrician if you are not
sure what type of power is supplied to your building.
Caution—Not all power cords have the same ratings. Household extension cords do not have overload
protection and are not meant for use with computer systems. Do not use household extension cords with
your Nortel Networks product.
Caution—Your Nortel Networks product is shipped with a grounding type (three-wire) power cord. To
reduce the risk of electric shock, always plug the cord into a grounded power outlet.
NOM statement (Mexico only)

The following information is provided on the devices described in this document in compliance with the
safety requirements of the Norma Oficial Méxicana (NOM):
Exporter:Nortel Networks, Inc.
Santa Clara CA 95054 USA
5
217016-A, November 2004
Importer:Nortel Networks de México, S.A. de C.V.

Avenida Insurgentes Sur #1605
Piso 30, Oficina
Col. San Jose Insurgentes
Deleg-Benito Juarez
México D.F. 03900
Tel:52 5 480 2100
Fax: 52 5 480 2199
Input:100 to 240 VAC, 50 to 60 Hz, 9 A max. per power supply

single supply, or + one redundant supply configurations
Información NOM (unicamente para México)

La información siguiente se proporciona en el dispositivo o en los dispositivos descritos en este
documento, en cumplimiento con los requisitos de la Norma Oficial Méxicana (NOM):
Exportador: Nortel Networks, Inc.
Santa Clara, CA 95054 USA
Importador: Nortel Networks de México, S.A. de C.V.

Avenida Insurgentes Sur #1605
Piso 30, Oficina
Col. San Jose Insurgentes
Deleg-Benito Juarez
México D.F. 03900
Tel: 52 5 480 2100
Fax:52 5 480 2199
Embarcar a:100 to 240 V CA, 50 to 60 Hz, 9 A max. por fuente de poder

una fuente o una + configuraciones de una fuente redundante
6
217016-A, November 2004
Contents
Preface 5
Product Name & Platform Changes 5
Who Should Use This Book 5
How This Book Is Organized 6
Related Documentation 6
How to Get Help 7
Overview 9
Feature Summary 10
Basic Topology 11
Required Equipment 14
ASF Components 15
Firewall Models and Capacity 16
Safety Precautions 17
Firewall Director 19
Hardware Features 20
Physical Description 21
Removing and Installing the Bezel 22
Front Panel Without the Bezel 23
Rear Panel 23
LED Status Conditions 25
Mounting the 5014 Director 26
Rack Installation 26
Standalone Installation 29
Connecting a Console Terminal 30
Requirements 30
Console Connector and Cable Specifications 31
Establishing a Connection 31
1
217016-A, November 2004
Alteon Switched Firewall Hardware Installation Guide
Firewall Accelerator 33
Physical Description 34
Firewall Accelerator 6600 34
Firewall Accelerator 6400 34
Rear Panel 35
Side Panel 35
Ports 35
SFP GBICs 36
37
Dual-Mode Ports 37
Default NAAP and Data Ports 38
Console Port 38
LEDs 39
Installing the Firewall Accelerator 40
Preparing for Installation 40
Installing the Switch 41
Rack-Mounting the Switch 41
Connecting Power 43
Connecting Network Cables 44
Basic ASF 6600 Network Topology 45
Basic ASF 6400 Network Topology 47
Network Connector and Cable Specifications 49
RJ-45 Connector Specifications for 10/100/1000 Mbps Ethernet 49
Network Ports 49
Gigabit Ethernet via the Fiber Optic LC Connector 49
10/100/1000 Mbps Ethernet via the RJ-45 Connector 50
Connecting to the Console Port 50
Establishing a Console Connection 51
Using Network Ports 51
Upgrading the Software 52
Troubleshooting 53
Link/Activity LED Does Not Light 53
Symptom 53
Cause 53
Action 53
Fan LED is Amber 54
Symptom 54
2
217016-A, November 2004
Cause 54
Action 54
Switch Will Not Boot 55
Symptom 55
Cause 55
Action 55
Specifications 57
Firewall Director 5014 58
Physical Characteristics 58
Power Requirements 58
Port Specifications 58
Supported Standards 59
Environmental Specifications 59
Certifications 59
Firewall Accelerator 6600 and 6400 61
Physical Dimensions 61
Power Requirements 61
Supported Standards 61
Port Specifications (ASF 6600 and ASF 6400) 62
Environmental Specifications 62
Mechanical Specifications 63
Certifications 63
Index 65
3
217016-A, November 2004
4
217016-A, November 2004
Preface
This manual describes the features, installation process, initial configuration and specifications
of the Alteon Switched Firewall models 6614 and 6414.
For full documentation on configuring and using the Alteon Switched Firewall’s many soft-
ware features, see the software manuals mentioned in “Related Documentation” on page 6.
Product Name & Platform Changes

The Alteon Switched Firewall has been updated for integration into Nortel Networks’ larger
vision for network security products. The update includes changes to all the hardware model
names, as well as migration to a new hardware platform for the Firewall Director.
Although this manual uses the new product names and hardware descriptions, the Alteon
Switched Firewall version 4.0.2 software is compatible with any legacy Alteon products you
may currently use.
Who Should Use This Book

This manual is intended for network installers and system administrators engaged in configur-
ing and maintaining a Gigabit Ethernet network. It assumes that you are familiar with the
Ethernet concepts of installing a switch.
5
217016-A, November 2004
How This Book Is Organized

Chapter 1, “Overview,” provides a brief overview of the Alteon Switched Firewall including
the feature summary, basic topology.
Chapter 2, “Firewall Director,” provides the hardware features and physical description of
the front and rear panels of the ASF 5014. This chapter also describes how to install and mount
the system.
Chapter 3, “Firewall Accelerator,” describes how to install the Firewall Accelerators 6600
and 6400 models and connect it to the Firewall Director.
Appendix A, “Specifications,” describes the supported standards, port specifications, physi-

cal dimensions, environmental specifications, mechanical specifications, and certifications for
ASF 6000 series and ASF 5014.
Related Documentation
For detailed information about the functionality and configuration of the Alteon Switched
Firewallsee the following documentation:
Alteon Switched Firewall User’s Guide and Command Reference (Part Number 215709-
B) published in November 2004.
Alteon Switched Firewall Browser-Based Interface Guide (Part Number 215710-B) pub-
lished in November 2004.
6 Preface
217016-A, November 2004
How to Get Help

If you purchased a service contract for your Nortel Networks product from a distributor or
authorized reseller, contact the technical support staff for that distributor or reseller for assis-
tance.
If you purchased a Nortel Networks service program, contact one of the following Nortel Net-
works Technical Solutions Centers:
Technical Solutions Center Telephone
Europe, Middle East, and Africa 00800 8008 9009

or
+44 (0) 870 907 9009
North America (800) 4NORTEL or (800) 466-7835
Asia Pacific (61) (2) 8870-8800
China (800) 810-5000
Additional information about the Nortel Networks Technical Solutions Centers is available at
the following URL:
http://www.nortelnetworks.com/help/contact/global
An Express Routing Code (ERC) is available for many Nortel Networks products and services.
When you use an ERC, your call is routed to a technical support person who specializes in sup-
porting that product or service. To locate an ERC for your product or service, refer to the fol-
lowing URL:
http://www.nortelnetworks.com/help/contact/erc/index.html
Preface 7
217016-A, November 2004
8 Preface
217016-A, November 2004
CHAPTER 1
Overview
The Alteon Switched Firewall is a high-performance firewall system for network security. The
system uses a versatile, multi-component approach to deliver unparalleled firewall processing
power, reliability, and scalability.
The Alteon Switched Firewall is a combination of dedicated hardware and software (hardened
OS, security applications, and networking technology). It addresses the needs for security, per-
formance and ease of use.
To enhance versatility, the Alteon Switched Firewall is a multi-component solution. ASF hard-
ware is a combination of Alteon Firewall Accelerators and Alteon Firewall Directors. ASF
software is a combination of Alteon Accelerator OS software and the Firewall-1® NG soft-
ware from Check Point™ Software Technologies Ltd. By using the throughput of a Gigabit
switch controlled by the Check Point inspection engine, the speed of the firewall is dramati-
cally increased. If you need more connections per second, additional Firewall Directors can be
added.
9
217016-A, November 2004
Feature Summary
The following features have been added to the Alteon Switched Firewall release 4.0.2 since the
last major release:
Supports Check Point™ FireWall-1® NG with

Application Intelligence R55 and Hotfix Accumulator 08 (HFA_08) software
Application Intelligence R54 and Hotfix Accumulator 412 (HFA_412) software
Supports hardware bundles ASF 6614 and 6414
ASF 6614 consists of the Firewall Accelerator 6600 and the Firewall Director 5014.
ASF 6414 consists of the Firewall Accelerator 6400 and the Firewall Director 5014.
Supports up to 500K concurrent connections
Supports 8K routes on ASF 6614 and 4K routes on ASF 6414
Supports Audit Trail
ASF 4.0.2 supports a log mechanism that enables logging of all CLI actions performed by
a user. This enhances your ability to pinpoint and respond to critical events, allows you to
track admin user actions, and serves as a useful tool for debugging functions. The ASF
Firewall keeps a log of the CLI commands and sends it to any configured syslog or
RADIUS servers.
Supports SmartView Monitor
ASF 4.0.2 allows you to monitor your firewall performance in real time using Check Point
SmartView Monitor™.
Supports Remote Login via SSH
ASF 4.0.2 allows remote users to login to troubleshoot or perform maintenance on the
firewall.
This feature must be used cautiously, because it provides users with the ability to login
remotely using SSH and access the Linux shell. Remote users with root password can use
the Linux utility, su and run “su root”.
The following defenses are built-in to ensure maximum security.
To log in, the user has to authenticate using the public key/private key mechanism.
DSA or RSA key pairs can be used but has to be in OpenSSH format version 2 format
only. Password based authentication is not allowed.
The IP address of the remote user must be part of the access list.
10 Chapter 1: Overview
217016-A, November 2004
The Check Point policy must allow the SSH connection between the remote user and
the ASF.
Backup and Restore Firewall Configuration
ASF 4.0.2 allows you to backup the Director configuration and restore it later to the same
state. The restore operation will restore the configuration in the registry as well as the
Check Point SIC and policy.
The backup and restore feature is for a Director only and not the cluster. To backup an
entire cluster, you must login to each Director and create backups separately. You cannot
create a backup from one member of the cluster and use it to restore another member. A
backup taken from a Director can be used only to restore that same Director or a replace-
ment for that Director.
Supports port mirroring on the Firewall Accelerator 6600 and 6400
Supports SecureXL™ 2.1 with Application Intelligence (AI) software
Load balances Intrusion Detection System (IDS) servers
Alteon Switched Firewall 4.0.2 is designed to load balance traffic to IDS servers which
perform in-depth traffic analysis and detects inappropriate, incorrect, or anomalous activ-
ity on your network. In addition to load balancing IDS systems, ASF supports port mirror-
ing which allows specific network ports to be monitored by replicating the traffic to
another port.
Basic Topology
The classic software firewall model can become a security speed bump. Typically, data enters
from one network card, passes through the a policy inspection engine, and is deposited on
another network card. When relying on the single processing path such systems offer, there are
major limitations on speed and expandability.
The Alteon Switched Firewall solution flattens the security speed bump and boosts the speed
of data.
Chapter 1: Overview 11
217016-A, November 2004
Server Cluster
Classic Firewall Scenario
Firewall
Clients Switch
Router
Internet
Server Cluster
Alteon Switched Firewall Solution Alteon Switched Firewall
Clients Firewall Acceleration
Router
Internet
Firewall
Accelerator
Load Balanced
Firewall Traffic
Control
Firewall Directors
Untrusted Networks Trusted Networks
Figure 1-1 Classic Firewall versus the Alteon Switched Firewall
The Alteon Switched Firewall is placed in the path between your various trusted, semi-trusted,
and untrusted networks. It examines all traffic moving between the connected networks and
either allows or blocks that traffic, depending on the security policies defined by the adminis-
trator. The Alteon Switched Firewall consists of multiple Firewall Director and Firewall
Accelerator components that are clustered together to act as a single system.
Firewall Director
The Firewall Director is a compact, high-performance computing device running Firewall
OS software. It uses built-in Check Point FireWall-1 NG software to inspect network traffic
and enforce firewall policies. For increased firewall processing power, additional Firewall
Directors can be attached to the cluster. For more information on Firewall Directors, see
Chapter 2, “Firewall Director.”
Firewall Accelerator
The Firewall Accelerator is an Alteon switch running Accelerator OS software. It offloads
the processing of secured traffic from the Firewall Director, enhancing firewall performance.
For high-availability configurations, a second Firewall Accelerator and Firewall Director
can be attached to the cluster.
217016-A, November 2004
Each port of a Firewall Accelerator is connected to a high-capacity, multi-Gigabit back-

plane. The Firewall Accelerator performs parallel processing on data flowing through any
port. All four processors work together regardless of the port through which the data
entered the Firewall Accelerator.
For more information on the 6000 series Firewall Accelerators, see Chapter 3, “Firewall
Accelerator.”
A basic network utilizing the Alteon Switched Firewall appears as follows:
Alteon Check Point
Switched Firewall: Alteon Alteon Management Server
Firewall Director & Switched Firewall Remote SmartCenter
Firewall Accelerator Local Console Console
Untrusted
Client
Trusted
Internet Network
Untrusted
Networks
DMZ Servers
11353EA
Figure 1-2 Alteon Switched Firewall Network Elements
217016-A, November 2004
Required Equipment
The Alteon Switched Firewall system requires the following minimum components:
One standard 19-inch open or closed rack to mount the system (see page 26, page 38, and
page 83) 2-1/2 U mounting space in:
A standard 19-inch open-frame relay rack with two 3-inch or 6-inch posts
or
A standard 19-inch enclosed four-post cabinet
One Alteon Firewall Accelerator
Each Firewall Accelerator is shipped separately and includes the following items which
may be required during installation:
A/C power cord—the unit is shipped with one U.S. standard and one EU standard
power cord. Country-specific power cords are available separately.
Rack mounting kit
One Alteon Firewall Director (see Table 2-1 on page 20 for system compatibility)
Each Firewall Director is shipped separately and includes the following items that may be
required during installation:
A/C power cord—the unit is shipped with one U.S. standard and one EU standard
power cord. Country-specific power cords are available separately.
Console cable
One two-post open rack installation kit for flush mounting or center mounting
One four-post rack installation kit for cabinet mounting
You need the following tools and supplies to install the components:
#2 Phillips screwdriver
11/32-inch wrench or nut driver (if changing Firewall Director bracket to flush-mount
configuration)
A straight edge or ruler to ensure that the unit is installed at level
Masking tape or felt-tip pen to mark the rack mounting position
217016-A, November 2004
ASF Components
Figure 1-3 shows the ASF components shipped with the Firewall Accelerator 6600.
3 1
11431FA
Figure 1-3 ASF Components
1. Firewall Accelerator or Firewall Director
2. Rack Mount Kit
3. DB9 Male to DB9 Female Cable
4. North American Power Cord and European Power Cord
5. ASF Software and Documentation Kit (Firewall Accelerator software, Firewall Director
software and Documentation CD
Similar to Figure 1-3, Firewall Accelerator 6400 and Firewall Director 5014 are shipped with
equivalent components. The connectors that fits into the gigabit ports are not shipped with the
product. For more information, see “SFP GBICs” on page 36.
217016-A, November 2004
Firewall Models and Capacity

Use compatible Alteon Switched Firewall components to achieve the desired performance.
Typically, Firewall capacity refers to higher throughput, concurrent sessions, and sessions per
second. Higher throughput and concurrent sessions are determined by the Firewall Accelerator
and sessions per second are determined by the Firewall Director.
Table 1-1 shows the available ASF products with different Firewall Accelerator and Firewall
Director models.
Table 1-1 Model Compatibility
Firewall Accelerator Firewall Director

ASF
Models Models
6614 6600 5014
6414 6400 5014
To achieve the desired performance from your ASF, you must use compatible Alteon Switched
Firewall components. To sustain high levels of throughput, Firewall Accelerators 6400 should
be connected to Firewall Director 5014 only.
The maximum concurrent connections on the Alteon Switched Firewall is limited by the mem-
ory in the Firewall Accelerator. The Firewall Director however, has more memory and, there-
fore can hold more connections than the Accelerator.
Table 1-2 Firewall Accelerator Features
Session
Firewall Number Type of Ports Connector Capacity with
Accelerator of Ports Type Firewall
Director
6600 12 4 Fast Ethernet ports 4 LC 500K

4 SFP GBIC ports
4 Dual-mode ports
6400 28 24 Fast Ethernet ports 4 LC 500K
4 SFP GBIC ports
217016-A, November 2004
Safety Precautions
Always observe the precautions in the manuals for this and all other equipment you are installing.
Assembly
CAUTION—The two-post open-frame relay rack must be properly secured and stabilized
! according to the rack manufacturer or industry specifications before installing the components.
The four-post cabinet rack must meet the relevant ANSI/EIA-310-D-92, IEC 297, or DIN
41494 specifications.
Use extreme caution when moving a rack cabinet. Rack cabinets can be extremely heavy and
yet move easily on their casters and have no brakes. Retract the leveling feet when moving the
rack cabinet. Avoid long or steep inclines or ramps where loss of cabinet control may occur.
When the cabinet is positioned, extend the leveling feet for support and to prevent the cabinet
from rolling.
Use the rack-mount kits only with the components for which they were designed. Using kits from
other systems may result in damage to the components and personal injury to yourself and others.
Do not place or rack-mount the equipment in any way which exceeds the maximum weight-bear-
ing capacity of the surface or rack, or cause potentially hazardous uneven mechanical loading. If
using components with extendable trays or slide mechanisms, do not extend more than one com-
ponent at any given time. Do not climb on the rack or step or stand on any component in the rack.
To avoid pinching your fingers or hands, use caution when pressing component rail release
latches and when sliding components into or out of the rack.
Power
CAUTION—Make sure the device is properly grounded electrically and that power connections
! are safe, particularly when using power strips.
Avoid overloading your electrical supply circuits. Electrical ratings are printed on all your
equipment. Be sure that your supply circuits and wiring can support the rated power draw of
whatever equipment is used. The total branch load should not exceed 80% of the circuit rating.
Temperature
CAUTION—For proper air circulation, the air vents on the devices should not be blocked or
! obstructed by cables, panels, or other materials.
The ambient temperature of an operating the equipment must not exceed 40oC. When install-
ing the devices in a closed or multi-unit rack assembly, please consider that the operating
ambient temperature of the equipment may be higher than the ambient temperature of the
room. Take appropriate steps to ensure that the devices do not overheat.
217016-A, November 2004
217016-A, November 2004
CHAPTER 2
Firewall Director
This chapter provides step-by-step instructions for physically installing the Alteon Firewall
Director 5014. It is assumed that the other components of your network (routers, servers, hubs,
and so on) have already been physically installed.
“Hardware Features” on page 20

“Physical Description” on page 21
“Mounting the 5014 Director” on page 26
Each of these tasks is detailed in the following sections of this chapter. Required software
setup is covered in the Alteon Switched Firewall User’s Guide and Command Reference.
NOTE – The instructions in this chapter are for installing the Firewall Director only. For con-
figurations with multiple Firewall Directors, first install the minimum system as described in
this chapter, then perform initial setup as described in the ASF User’s Guide and Command
Reference. Once the minimum system is fully configured, add the extra components as
described in the ASF User’s Guide and Command Reference.
19
217016-A, November 2004
Hardware Features
Table 2-1 describes the hardware features of Firewall Director 5014.
Table 2-1 Firewall Director Hardware Features
Firewall Director Features 5014
Port capacity Two Fiber Gigabit with LC

connector
Two 10/100/1000 BaseT cop-
per Gigabit Ethernet ports
RAM 1 GB
Hard disk capacity 40 GB
Dimension/Chassis 1U, 19-inch rack-mount
Power supply Single
20 Chapter 2: Firewall Director

217016-A, November 2004
Physical Description
This section describes the Firewall Director model 5014 as shown in Figure 2-1.
Amber System Status Indicator Reset Button Power LED

Hard Disk Activity Indicator Power Button
Figure 2-1 Front Panel of the Firewall Director 5014 with the Bezel
Table 2-2 describes the front panel LEDs shown in Figure 2-1.
Table 2-2 Firewall Director 5014 Front Panel LEDs

LED Description
Amber system status The amber system status indicator lights up when the system needs
indicator attention due to a problem. LED is normally off. If the system detects a
problem with any of the system voltages, temperature sensors, or fans,
! this LED blinks amber.When the system is reset, the LED is off. When
the system is running, this LED displays solid green. If the system
hangs, the LED flashes.
Hard-disk drive activity
indicator This LED blinks when activity is detected on the hard-disk drive.
System power indicator

This LED is green when the power supply is turned on.
The front panel LEDs are duplicated on the back-panel.
CAUTION—The reset button does a “cold start reset” and automatically reboots the Firewall
! Director. However, Nortel recommends using the Command Line Interface (CLI) to do a boot
reset. If the Firewall Director does not reset via the CLI, then use this reset button.
Chapter 2: Firewall Director 21

217016-A, November 2004
Removing and Installing the Bezel

To remove the bezel off the Firewall Director 5014, open the flap (See 2 in Figure 2-2) and
slide the bezel to the right. Then, pull the bezel off the faceplate.
To install the bezel, slide the bezel on the face plate as shown in Figure 2-2 and follow the
steps below:
11138EA
Figure 2-2 Installing the Bezel on the Firewall Director 5014
1. Lift the flap that is located at the left end of the bezel.
2. Slide the bezel on the face plate from right to left, until the edge of the bezel aligns with
the edge of the face plate lengthwise. (See 1 in Figure 2-2.)
3. Keep sliding all the way over until you hear a click, which means the bezel has locked on
to the face plate.
4. Shut the flap. (See 2 in Figure 2-2.)

217016-A, November 2004
Front Panel Without the Bezel
1 2 3 4 6 7
Figure 2-3 Front Panel of Firewall Director 5014 with Bezel Removed
1. CD-ROM drive
2. Floppy diskette drive
3. System error LED (amber)
4. Hard disk activity LED (green)
5. Reset button
6. Power button (left) and power LED (green)
7. Universal Serial Bus (USB) connectors (not supported)
Rear Panel
2 1
ACT/LINK B
ACT/LINK A
3 4 5 6 7 8 9
Figure 2-4 Rear Panel of the Firewall Director 5014
1. Gigabit Port 1 with LC connector: 1000Base-SX Multimode Fiber Ethernet

Use this port to connect to the Firewall Accelerator.

217016-A, November 2004
2. Gigabit Port 2 with LC connector: 1000Base-SX Multimode Fiber Ethernet

(See “LED Status Conditions” on page 25 for ports 1-2 LED status conditions.)
3. AC Receptacle
4. Keyboard Connector
5. Mouse Connector (not supported)
6. Video Connector
7. Port 1: 10/100/1000Base-T copper Ethernet port
8. Port 2: 10/100/1000Base-T copper Ethernet port

This is the default port for Check Point synchronization traffic.
See “LED Status Conditions” on page 25 for ports 1 and 2 LED status conditions.
9. Serial Connector (DTE) for system configuration and diagnostics (console connection)
Proceed to the section on “Mounting the 5014 Director” on page 26 to install the Firewall
Director 5014.

217016-A, November 2004
LED Status Conditions

The Firewall Director 5014 has two LEDs for each Copper Ethernet port, embedded into the
RJ-45 connectors. There is one LED for each SFP GBIC port. The LEDs light up to indicate
the various port connection conditions.
10/100/1000 Link / Activity
Figure 2-5 Copper Ethernet Port LED Layout
The table below describes the various states represented by the lights and conditions of the
LEDs on different ports.
Table 2-3 Various LED States

LED State Description
Copper Ethernet Port
Left LED On (Green) 1000BaseT
Off 10BaseT, 100BaseT, or no link
Right LED On (Green) Link is active

Off Link is not active
Blinking (Green) Data is being processed
Fiber Ethernet Port
LED On (Green) Link is active
Power
LED On (Green) Power is on
Off Power is off
Blinking Power is off

217016-A, November 2004
Mounting the 5014 Director

The Firewall Director 5014 can be installed in a standard 19-inch relay rack, or on a suitable
table-top.
Rack Installation
The following procedure is for installing the Firewall Directorin a standard 19-inch two-post
open-frame relay rack or a four-post enclosed rack cabinet.
For this procedure you will need the following:
A straight edge or a ruler to install the unit at level and a masking tape or a felt-tip pen to
mark the mounting holes.
#2 Phillips screwdriver.
Someone to hold the unit in place while you secure it in the rack.
NOTE – Do not use the included rubber feet for a rack installation.
1. Unpack the Firewall Director from its shipping box.
2. If you are installing the unit in a cabinet, remove the cabinet doors and side panels
according to the instructions that came with your cabinet.
This will provide easy access for the rest of the installation procedure.
3. Determine where you want to place the bottom of the Firewall Director within the rack.
NOTE – If you are installing more than one system, install the first system in the lowest avail-
able position in the rack.

217016-A, November 2004
4. Using a straight-edge, mark an empty 1U vertical space on the rack.

Each 1U (1.75-inch) vertical space has three holes. The center hole is the one with the greatest
space above and below it (0.625 inches as measured between the center of each hole). The line
dividing each 1U space falls between the more closely spaced holes (0.5 inches between hole
centers).
Universal Spacing Wide Spacing
0.5" 0.5"
12.7mm 12.7mm
0.625"
15.9mm
1U 1.25"
1.75" 31.7mm
44mm
0.625"
15.9mm
0.5" 0.5"
12.7mm 12.7mm
(Actual Size)
Figure 2-6 Determining a 1U Mounting Position
Be sure to mark the same space on both the left and right rails.

217016-A, November 2004
5. Install the unit as shown using the appropriate screws for your rack-mount system (four
10-32, 12-24, M5X.8-6H, or M6X1-6H type screws).
Figure 2-7 Rack-Mounting the Firewall Director 5014
NOTE – The Firewall Director comes from the factory with heavy-duty rack-mounting brack-
ets already attached. If the brackets have been previously removed (possibly to facilitate using
the unit in a standalone table-top configuration), you must reattach them.
6. Attach the front bezel to the system.
7. If you installed the unit in a cabinet, reattach the cabinet rack doors and side panels
according to the instructions that came with your cabinet.

217016-A, November 2004
Standalone Installation
1. Unpack the Firewall Director from its shipping box.
2. Remove the heavy-duty rack-mounting brackets from each side of the unit.
Store the brackets and any unused screws in a safe place for possible future use.
3. Connect the two table-top bezel-mounting brackets to the unit using screws removed in
the previous step.
4. Attach the four included rubber feet to the bottom of the unit chassis.
5. Place the unit on suitable (sturdy, level) table-top surface.
6. Attach the front bezel to the system.

217016-A, November 2004
Connecting a Console Terminal

Each component of the Alteon Switched Firewall has its own console port, though they are
used for different purposes. The serial port on the rear panel of the Firewall Director is used to
access the system for initial configuration as well as collecting system information and statis-
tics.
This section explains how to connect a console terminal to the Firewall Director serial port for
system configuration.
Requirements
To establish a console connection on the Firewall Director, the following is required:
An ASCII terminal or a computer running ASCII terminal emulation software set to the
parameters shown in the table below:
Table 2-4 Console Configuration Parameters
Parameter Value
Baud Rate 9600

Data Bits 8
Parity None
Stop Bits 1
Flow control none
A standard straight-through serial cable with a male DB9 connector (included with the
Firewall Director). An equivalent cable can be made as outlined in the next section.

217016-A, November 2004
Console Connector and Cable Specifications

The Firewall Director serial port female DB9 connector accepts a serial cable with a male DB9
connector.
Figure 2-8 Pinouts for DB9 Serial Connector
DB9 Serial Connector Pin Description
1 CD
2 TxD (Output)
DB-9 male
1 5 3 RxD (Input)
4 DTR
5 GND (Ground)
6 DSR
7 RTS
6 9
8 CTS
9 Not used
NOTE – Only pins 2, 3, and 5 are active.
Console cables are not intended for permanent installation and should be disconnected from
the console port after configuring the Alteon Switched Firewall.
Establishing a Connection
1. Connect the terminal to the serial port using the correct serial cable.
When connecting to a Firewall Director, use a standard serial cable with a male DB9 connector
(both shipped with the Firewall Director).
2. Power on the terminal.
3. To establish the connection, press <Enter> on your terminal.

You should now see the login prompt. See the “Users and Passwords” section in the ASF 4.0.2
User’s Guide and Command Reference for more login information.

217016-A, November 2004

217016-A, November 2004
CHAPTER 3
Firewall Accelerator
This chapter describes the operational and physical features of the Firewall Accelerator 6600 and
6400. It is assumed that the other components of your network (routers, servers, hubs, and so
on) have already been physically installed.
Physical installation of the Firewall Accelerator involves the following tasks:
“Physical Description” on page 34

“LEDs” on page 39
“Installing the Firewall Accelerator” on page 40
“Connecting Network Cables” on page 44
“Connecting to the Console Port” on page 50
“Establishing a Console Connection” on page 51
33
217016-A, November 2004
Physical Description

The Firewall Accelerator model 6600 has 4 copper gigabit ports, 4 dual-mode ports, 4 fiber giga-
bit ports, and a console port as shown in Figure 3-1.
Copper Gig Ports Fiber Gig Ports Console

1,2,7,8 9,10,11,12 Port
Console
3 4 5 6
9 10 11 12
Link/Act
Rx Tx Rx Tx Rx Tx Rx Tx Rx
Link/Act 1 2 3 4 5 6 7 8
Management
POWER FAN
11351EA
Dual Media Ports

(Copper or Fiber)
3,4,5,6
Figure 3-1 Front Panel of the Firewall Accelerator 6600
For information on NAAP and data ports, refer to “Default NAAP and Network Ports” on page
38.

The Firewall Accelerator model 6400 has 24 Fast Ethernet ports, four SFP GBIC ports, a manage-
ment port, and a console port as shown in Figure 3-2.
Fast Ethernet Ports

SFP GBIC Sockets Console Port
ASF 6400
Management Port
(not supported)
Figure 3-2 Front Panel of the Firewall Accelerator 6400
34 Chapter 3: Firewall Accelerator

217016-A, November 2004
Rear Panel
The rear panel of the Firewall Accelerator 6600 and 6400 with a power supply inlet and multiple
holes for ventilation is shown in Figure 3-3.
Figure 3-3 The Rear Panel of Firewall Accelerator
Side Panel
There are multiple holes on the side panels to allow proper ventilation and six threaded holes
on each side for the rack-mounting brackets.
Ports
The following table displays the number of copper gigabit ports and fiber ports also called
Small Form Pluggable (SFP) Gigabit Interface Converters (GBIC) ports supported on the 6600
and 6400 accelerator models.
Table 3-1 Firewall Accelerator Port Configuration
Single-mode ports Dual-mode Ports
ASF 6600 10/100/1000 Base-T copper ports 4 dual-modea ports

Ports 1, 2, 7, and 8 with RJ-45 connectors. Ports 3, 4, 5, and 6.
The ports are autonegotiating and support half or full These ports can operate in both
duplex operation. copper and fiber interface.
SFP GBIC (1000 Mbps) fiber ports

Ports 9 through 12.
These ports are designed to operate at 1000 Mbps and full
duplex mode only.
ASF 6400 24 FE (10/100 Mbps) ports none

Ports 1 through 24 are the RJ-45 network ports.
The RJ-45 jack is for connecting 10/100 Mbps Ethernet

segments to the port. The ports are auto-sensing, auto-
negotiating, and support half or full-duplex operation.
4 SFP GBIC (1000 Mbps) ports

Ports 25 through 28
a.Fiber interface is preferred over the copper interface.
Chapter 3: Firewall Accelerator 35

217016-A, November 2004
SFP GBICs
Figure 3-4 displays the LC jack connector and the SFP that fits into the port socket.
Figure 3-4 LC jack and SFP GBIC
The LC jack is used for connecting gigabit ethernet fiber optic segments. The LC optical (SX
or LX) SFP GBICs are not shipped with the product and must be purchased separately. To
order the connectors, see Nortel part numbers listed in Table 3-2.
Table 3-2 The Part Number Matrix of Small Form Factor Pluggable Modules
Type Reach Connector Nortel Order
Number
1000Base SX LC Type AA1419046
1000Base LX LC Type AA1419047
CAUTION—Use only Nortel approved class 1 SFP GBIC optical transceiver modules that are
! rated IEC or FDA CLASS 1. Do not use modules that are marked with laser classifications
higher than CLASS 1. Using other than Nortel approved modules may damage the product and
cause bodily injury.
NOTE – The SFP GBICs are hot swappable. You may install or remove the SFP GBIC while
the system is in operation, with no impact to network connectivity. Firewall Accelerator auto-
matically recognizes the SPF GBIC.

217016-A, November 2004
Installing and Removing SFP GBICs

Figure 3-5 and Figure 3-6 illustrate the mechanism to install and remove the SFP GBICs into
the port socket.
12
11
10
9
ent
Link/Act Managem
ASF 6600
FAN
POWER
Figure 3-5 Installing the SFP GBIC
12
11
10
9
ent
Link/Act Managem
ASF 6600
FAN
POWER
Figure 3-6 Removing the SFP GBIC
Dual-Mode Ports
The four dual-mode ports (3, 4, 5, and 6) on the Firewall Accelerator 6600 have two interfaces
each: 1000 Mbps SFP fiber and 10/100/1000Base-T copper. When the 1000 Mbps SFP fiber
port is selected as the preferred link, it is fixed at 1000 Mbps, full-duplex with autonegotiation
turned on.
NOTE – If 1000 Mbps is selected, autonegotiation is enabled by default.

217016-A, November 2004
When the 10/100/1000Base-T copper port is selected as the preferred link, it can be configured
at any speed. You can set either interface as the preferred or backup link. If autonegotiation is
disabled, only the preferred link will work and will not failover to the backup link.
Default NAAP and Data Ports

The default Nortel Appliances Acceleration Protocol (NAAP) ports and the default data
enforcement network ports for Firewall Accelerator 6600 and 6400 are shown in Table 3-3.
Table 3-3 Default NAAP and Network Ports
Firewall Accelerator Default NAAP Ports Defalut Data Enforcement Ports
Firewall Accelerator 6600 Ports 11 and 12 Ports (Copper and Fiber): 1—10
Firewall Accelerator 6400 Ports 1, 24, 27, and 28 Fast Ethernet RJ-45 network
ports: 2—23
SFP GBIC ports: 25 and 26
Console Port
The console port consists of a female DB-9 serial connector labeled Console for the DCE con-
nector. See “Connecting to the Console Port” on page 50 for details.

217016-A, November 2004
LEDs
The FE port on the Firewall Accelerator 6400 has two LEDs embedded into the RJ-45 connec-
tors. There is one LED for each SFP GBIC port on the Firewall Accelerator 6400 and 6600.
The LEDs light up to indicate the various port connection conditions.
10/100 Link / Activity
10/100 Link / Activity
Figure 3-7 Port LED Layout for the Top and Bottom Row of the FE Ports
The table below describes the various states represented by the lights and conditions of the
LEDs on different ports.

FE Ports
Left LED On (Green) 100BaseT
Off 10BaseT
Right LED On (Green) Link is active

Link/Ack
SFP GBIC Ports
Power
LED On (Green) Power is on
Off Power is off

217016-A, November 2004

Fan
LED On (Amber) A fan has failed and/or the internal tem-
Off perature has exceeded the threshold. See
“Fan LED is Amber” on page 54 for more
information.
The fans are functioning
Installing the Firewall Accelerator

This section describes how to install the Firewall Accelerator and connect cables to the net-
work ports, the management port, and the console port.
Your Accelerator is shipped with the following items:
Two mounting brackets for 19” rack mounting.

Eight Phillips screws for installing the mounting brackets.
Two AC power cords, one for North America and one for Europe, unless otherwise speci-
fied by the customer. See Table 3-5 on page 40 for regional power cord order numbers.
Console cable.
The software kit containing the software manuals and a software CD.
NOTE – The console cable is not intended for permanent installation and should be discon-
nected from the console port after configuring the switch.
Table 3-5 Power Cord Order Numbers for Different Countries
Country Power Cord Order Number
UK and Ireland 7917
Japan 7918
Australia, New Zealand and PRC 7910
Preparing for Installation

Installing the Firewall Accelerator involves the following tasks:
1. Choosing a suitable location to install the switch.

217016-A, November 2004
2. Unpacking the switch from the box.
3. Turning the power switch to the OFF position.
4. Mounting the switch.
5. Connecting the power inlet of the switch to the appropriate power source.
6. Connecting network cables to the switch.
7. Powering on the switch.
CAUTION—Observe the following precautions when selecting a site and installing the switch:
! Make sure the equipment is properly grounded electrically, and that the power connections are
safe, particularly when using power strips.
Avoid overloading your electrical supply circuits. Electrical ratings are printed on the name-
plates of all your equipment. Be sure that your supply circuits and wiring can support the rated
power draw of whatever equipment is used.
The ambient temperature of an operating Alteon Switched Firewall must not exceed 40oC.
When installing the switch in a closed or multi-unit rack assembly, please consider that the
operating ambient temperature of the switch may be higher than the ambient temperature of the
room. Take appropriate steps to ensure that the switch does not overheat.
For proper air circulation, the vents on the front, back, and sides of the switch should not be
blocked or obstructed by cables, panels, rack frames, or other materials.
Do not place or rack-mount the switch in any way which would exceed the maximum weight
bearing capacity of the surface or rack, or which would cause potentially hazardous uneven
mechanical loading.
Installing the Switch

Always observe the precautions outlined in the manuals for this and all other equipment you
are installing (see above).
Rack-Mounting the Switch

Following are the instructions for rack-mounting the Firewall Accelerator.

217016-A, November 2004
1. Connect the two mounting brackets to the switch using the supplied screws as shown in
the following figure. Mounting brackets can be attached at mid-mount position or face-
plate mount depending upon your required configuration.
Figure 3-8 Mounting Brackets for Face Plate Mount Location

217016-A, November 2004
2. Then, install the switch as shown in the figure below using the appropriate screws for
your rack-mount system (four 10-32, 12-24, M5X.8-6H, or M6X1-6H type screws).
To identify an appropriate 1U position on your rack, see “Rack Installation” on page 26.
Link/A
ct
1 3
2
3 4
4 Rx 5
Tx
Rx 6
Tx
Rx
Tx
Rx
Tx
Rx
5
6
7
8
Link/Act
9
10 Console
POW 11
ER
12
FAN
Man
agem
ent
11352FA
Figure 3-9 Face Plate Rack-Mounted Firewall Accelerator 6600
Connecting Power
Following are the instructions for connecting the Alteon Switched Firewall.
1. Connect the power cord to the switch. Verify that the power switch is in the off position.
2. Plug the switch cord into a properly fused AC outlet.
3. Power On (|) the switch.

217016-A, November 2004
Connecting Network Cables

Once the Firewall Accelerator is physically mounted in a rack system, the required network
cables can be attached. The following basic topologies with default port assignments are
described below:
“Basic ASF 6600 Network Topology” on page 45

“Basic ASF 6400 Network Topology” on page 47
The default port assignments can be changed after initial installation and configuration. See
“Port Menu Options” in the Alteon Switched Firewall 4.0.2 User’s Guide and Command Ref-
erence for more information on changing the Firewall Accelerator ports. Also, see Chapter 7,
“Expanding the Cluster” in the Alteon Switched Firewall 4.0.2 User’s Guide and Command
Reference for details on adding system components to increase processing power or redun-
dancy.

217016-A, November 2004
Basic ASF 6600 Network Topology

Although the precise network topology depends on your specific network, the basic Alteon
Switched Firewall (ASF 6614) network topology suggested for initial configuration is simple, as
shown below:
Check Point
Trusted Networks Remote Console
(optional)
Check Point
TM
SmartCenter
Untrusted Network
Intranet
Internet Firewall Accelerator 6600

ACT/LINK B
ACT/LINK A
Alteon
Switched Firewall
Console
Figure 3-10 Basic ASF 6600 Network Topology
By default, the various ports on the Firewall Accelerator are reserved for specific purposes:
Data enforcement ports 1 though 10 are reserved for connecting trusted, untrusted and
semi-trusted networks to the firewall.
NAAP port 12 is used in high availability scenarios, to connect to another Firewall Accel-
erator 6600.
NAAP port 11 is reserved for Firewall Director connection.
The NAAP port can also be configured for use as regular network ports. See the Alteon
Switched Firewall 4.0.2 User’s Guide and Command Reference for more information.
However, you must connect the Firewall Director to one of the NAAP ports and download
the modified configuration. The updated configuration should continue to retain this spe-

217016-A, November 2004
cific port as a NAAP port. Otherwise, you will see a sudden loss of connection to the
Director and you may not get a successful response when this port becomes a non-NAAP
port.
Using the reserved ports, connect the network cables as follows:
1. Attach the Firewall Director to the Firewall Accelerator.

Connect any of the Firewall Accelerator ports 11 or 12 to the dedicated Firewall Director
uplink port. The uplink port uses the gigabit fiber optic LC connector. Typically, port 12 on
ASF 6600 is used for high availability connections.
NOTE – See “Network Connector and Cable Specifications” on page 49 for cable information.
In Figure 3-10 on page 45, port 11 on the Firewall Accelerator is connected to port 1 on the
Firewall Director 5014.
2. Connect the trusted, untrusted and semi-trusted network feeds into any of ports 1
through 10.
All network ports are auto-negotiating and support half- or full-duplex operation. Network
ports 1 through 8 have a RJ-45 connector for 10/100/1000 Mbps Ethernet segments. Network
ports 3—6, 9 and 10 have a LC-style fiber optic connector for Gigabit Ethernet (1000Base-SX)
segments. NAAP ports can also be used to connect to network segments after you disable
NAAP on the port.
Once network cabling is complete, power can be connected as described in “Connecting

Power” on page 43.

217016-A, November 2004
Basic ASF 6400 Network Topology

Although the precise network topology depends on your specific network, the basic Alteon
Switched Firewall (ASF 6414) network topology suggested for initial configuration is simple, as
shown below:
Check Point
Trusted Networks Remote Console
(optional)
Check Point
TM
SmartCenter
Untrusted Network
Intranet
Internet Firewall Accelerator 6400

ACT/LINK B
ACT/LINK A
Alteon
Switched Firewall
Console
Figure 3-11 Basic ASF 6400 Network Topology
By default, the various ports on the Firewall Accelerator are reserved for specific purposes:
Data enforcement ports 2 though 23, 25, and 26 are reserved for connecting trusted,
untrusted and semi-trusted networks to the firewall.
NAAP ports 1, 24, 27, and 28 are reserved for Firewall Director connections.
These NAAP can also be configured for use as regular network ports. See the Alteon
Switched Firewall 4.0.2 User’s Guide and Command Reference for more information.
However, you must connect the Firewall Director to one of the NAAP ports and download
the modified configuration. The updated configuration should continue to retain this spe-

217016-A, November 2004
cific port as a NAAP port. Otherwise, you will see a sudden loss of connection to the
Director and you may not get a successful response when this port becomes a non-NAAP
port.
Using the reserved ports, connect the network cables as follows:
1. Attach the Firewall Director 5014 to any of Firewall Accelerator ports 1, 24, 27, or 28
To sustain high levels of throughput, the high-capacity Firewall Accelerator 6400 should be
connected only to high-capacity Firewall Director 5014.
Connect any of the Firewall Accelerator ports 1, 24, 27, or 28 to the dedicated Firewall Direc-
tor uplink port. The uplink port uses the gigabit fiber optic LC connector.
NOTE – See “Network Connector and Cable Specifications” on page 49 for cable information.
In Figure 3-11, port 28 on the Firewall Accelerator is connected to port 1 on the Firewall
Director 5014.
2. Connect the trusted, untrusted and semi-trusted network feeds into any of ports 2
through 23, 25, or 26.
All network ports are auto-negotiating and support half- or full-duplex operation. Network
ports 2—23 have a RJ-45 connector for 10/100 Mbps Ethernet (10Base-T or 100Base-TX)
segments. Network ports 25 and 26 have a LC-style fiber optic connector for Gigabit Ethernet
(1000Base-SX) segments.
Once network cabling is complete, power can be connected as described in “Connecting

Power” on page 43.

217016-A, November 2004
Network Connector and Cable Specifications

The following specifications apply to the Firewall Accelerator 6600.
RJ-45 Connector Specifications for 10/100/1000 Mbps Ethernet

The RJ-45 connectors on the Firewall Accelerator support both the 10Base-T,
100Base-TX, and 1000Base-TX Ethernet standards. The ports are designed to
operate with UTP Category 5 cables equipped with standard RJ-45-compatible
plugs.
For more information on port specifications and standards, refer to the section on “Port Speci-
fications (ASF 6600 and ASF 6400)” on page 62.
NOTE – 100Base-T and 1000Base-T signaling requires four twisted pairs of Category 5 bal-
anced cabling, as specified in ISO/IEC 11801:1995 and EIA/TIA-568-A (1995) and tested
using procedures defined in TIA/EIA TSB95.
Network Ports
Each SFP GBIC port on the Firewall Accelerator has transmit and receive ports. The transmit
(Tx) is on the left side and receive (Rx) is on the right side of the SFP.
All ports support full-duplex operation. The 10/100/1000 Mbps copper ports auto-negotiate,
and also support half-duplex operation.
The port LEDs light up to indicate the various port connection conditions. See Table 3-4 on
page 39 for details.
Gigabit Ethernet via the Fiber Optic LC Connector

Figure 3-4 on page 36 illustrates an LC-type SFP connector used for Gigabit Ethernet fiber
optic connections on the Firewall Accelerator.

217016-A, November 2004
10/100/1000 Mbps Ethernet via the RJ-45 Connector

If your Firewall Accelerator is configured with auto-negotiate mode, the Copper port will auto-
matically determine the Rx and Tx pins of the link (the MDI/MDI-X functionality). But if the
auto-negotiate mode is disabled, you need to use a crossover cable when connecting the Fire-
wall Accelerator Copper port to another Firewall Accelerator. Use a straight through cable
when connecting to an end station, such as a PC.
Connecting to the Console Port

Each component of the Alteon Switched Firewall has its own console port, though they are
used for different purposes. The console port on the front panel of the Firewall Accelerator is
used only for diagnostic and recovery functions as directed by Nortel Networks technical sup-
port.
To establish a console (DCE) connection, the following are required:
An ASCII terminal or a computer running ASCII terminal emulation software set to the
parameters shown in the table below:
Table 3-6 Console Configuration Parameters
Parameter Value
Baud Rate 9600

Data Bits 8
Parity None
Stop Bits 1
Flow Control None
Emulate VT100

217016-A, November 2004
The console port accepts a straight-through serial cable with a male DB9 connector.
Figure 3-12 Pinouts for DB9 Serial Connector
DB9 Serial Connector Pin Description
1 CD
2 TxD (Output)
DB-9 male
1 5 3 RxD (Input)
4 DTR
5 GND (Ground)
6 DSR
7 RTS
6 9
8 CTS
9 Not used
NOTE – Only pins 2, 3, and 5 are active.
Establishing a Console Connection

You can monitor the Firewall Accelerator by connecting the accelerator to a local computer
terminal, using the console port. To establish a console (DCE) connection, see “Connecting to
the Console Port” on page 50. Following are the instructions to connect to a console port.
1. Connect the terminal to the Console port of the switch using the serial cable.
2. Power on the terminal.
3. To establish the connection, press <Enter> on your terminal.

You will see a login prompt to enter the password. (Access to switch functions is controlled
through the use of unique user names and passwords.) The default administrator password is
admin. Once your password is verified, the Main menu is displayed. For instructions on using
the menus to configure the Firewall Accelerator, see the Alteon Switched Firewall 4.0.2 User’s
Guide and Command Reference.
Using Network Ports

Establish connections between the Firewall Accelerator and the server with the help of the net-
work ports using connectors and cables. Apart from establishing a Layer 2 link, the network
ports allow you to access the operating system running on the Firewall Accelerator.

217016-A, November 2004
See “Port Menu Options” in the Alteon Switched Firewall 4.0.2 User’s Guide and Command
Reference for detailed information on using the Network Ports.
Upgrading the Software

The Alteon Switched Firewall is provided with the software installed and configured with the
factory default settings. For information about upgrading the software, refer to Chapter 8,
“Upgrading the Software” in the Alteon Switched Firewall 4.0.2 User’s Guide and Command
Reference.

217016-A, November 2004
CHAPTER 4
Troubleshooting
This section contains information about possible problems that may occur or error messages
that might display if the Firewall Accelerator and Firewall Director are not properly installed
or configured.
Link/Activity LED Does Not Light
Symptom
The Link LED (green) does not light. When you check the Link state using the console termi-
nal (see the switch software manuals), the status is reported as down.
Cause
A port configuration mismatch between two devices or a cable problem.
Action
If the switch port is configured with a specific speed or duplex mode (for example, 100 Mbps,
full duplex) check to see that the other device is set to the same configuration. If the switch
port is configured to auto-negotiate, verify to see that the other device is also set to auto-nego-
tiate. Refer to the switch software manuals for more information about port configuration, set-
ting speed and mode.
53
217016-A, November 2004
Fan LED is Amber
Symptom
The fan LED is lit in amber color.
Cause
Fan Failure: One or more fans have stopped functioning. The syslog message: “Fan fail-
ure detected” appears on the screen.
Insufficient Cooling: The fan-fail LED is amber if the internal temperature of the switch
exceeds 60oC. The syslog message: “Temperature exceeds threshold” appears on the
screen.
These messages are also appended to the output from /info/sys commands.
Action
Make sure that the air circulation vents on the front, back, and sides of the switch are free
from obstruction by cables, panels, rack frames, or other materials.
Make sure that all cooling fans inside the switch are running. The fans are located behind
the ventilation grill at the rear of the switch. The exhaust from all the fans should be blow-
ing outward with roughly equal air pressure (although it is normal for the exhausts to have
different temperatures). You can also use a flashlight to check whether the fan blades are
moving. If any fan stops during switch operation, contact Nortel Networks’ customer sup-
port.
Remember that units in a closed or multi-unit rack assembly may have an operating ambi-
ent temperature higher than the ambient temperature of the room. The ambient tempera-
ture of an operating switch must not exceed 40oC. If the operating ambient temperature
cannot be lowered before this maximum is reached, turn off the switch and let it cool.
It may be necessary to cool the room to a lower temperature or provide a fan for greater air
circulation. Resolve the room’s cooling and circulation problems before turning the switch
back on.
After taking the above actions, when the switch comes to normal temperature, the following
messages appear on the screen: “Temperature OK” (if temperature previously exceeded thresh-
old), “Fan OK” (if a fan had previously failed). No temperature or fan information is appended
to the output from /info/sys.
54 Chapter 4: Troubleshooting
217016-A, November 2004
Switch Will Not Boot
Symptom
The Alteon Switched Firewall power stays on and the command prompt does not appear on the
console.
Cause
The operating system may have been damaged.
Action
Turn the power off and turn it back on before reinstalling the software as described in Chapter
8, “Upgrading the Software” of the Alteon Switched Firewall User’s Guide and Command Ref-
erence.
Chapter 4: Troubleshooting 55
217016-A, November 2004
56 Chapter 4: Troubleshooting
217016-A, November 2004
APPENDIX A
Specifications
This appendix describes the specifications, standards, and certifications for the Firewall Direc-
tor 5014 and Firewall Accelerator 6600 and 6400.
“Firewall Director 5014” on page 58

“Firewall Accelerator 6600 and 6400” on page 61
57
217016-A, November 2004

The following describes the specifications, standards, and certifications for Firewall Director
5014.
Physical Characteristics
Characteristic Measurement
Chassis 1U/19 inch rack mount; 1.75 inches (h) x 16.69 inches (w) x 16.54 inches (d)
Weight 8.6 kg (19 pounds)
Memory 1 GB RAM
Storage 40 GByte EIDE
Power Requirements
Specification Measurement
AC Power Power Supply 203 Watts
Input Voltage 100-127 VAC / 200-240 VAC
auto-sensing 47-63Hz
Port Specifications
Port Connector Media Maximum Distance
10Base-T RJ-45 Category 3, 4, or 5 UTP 100 meters (325 feet)
100Base-TX RJ-45 Category 5 UTP 100 meters (325 feet)
1000Base-TX RJ-45 CAT 5e 100 meters (325 feet)
1000Base-SX LC Shortwave (850 nm): 2 to 275 meters
62.5 micron MM fiber 2 to 550 meters (6.5 to 1804 feet)
50 micron MM fiber
Console (DCE) Female DB-9 RS-232C (serial) 25 meters (80 feet)
58 Appendix A: Specifications
217016-A, November 2004
Supported Standards
Logical Link Control (IEEE 802.2)
10Base-T/100Base-TX (IEEE 802.3, 802.3u)
1000Base-SC (IEEE 802.3, 802.3z)
IP
TFTP (RFC 783)
Environmental Specifications
Condition Operating Specification Storage Specification
Temperature 0° to 40° C (+32° to +104° F) –40° to 85° C (–13° to 185° F)
Relative humidity 85% maximum, non-condensing 95% maximum, non-condensing
96 hrs. @40°, 85% 96 hrs. @40°, 90-95%
Altitude up to 2,133 meters (7,000 feet) up to 10,668 meters (35,000 feet)
Shock 5 shock pulses of 3.5 G for up to 3ms 35G, 11 ms duration
to machine base equivalent to 763 mm (2.5 ft) drop
Vibration 3 axis, 30 min./axis, 3 axis, 15 min./axis
sine accel. of 0.06 G at 50-60Hz. 1.04 G full RMS, 2-200 Hz
Acoustic Noise 6.5 bell maximum during operation
Certifications
Category Compliance
EMC CISPR22, CISPR24

FCC CFR 47, Part 15, Class A
VCCI, Class A
ICES, Class A
CE EN-55022, EN-55024, EN-61000-3-2, EN-61000-3-3, EN-61000-4-2,
EN-61000-4-3, EN-61000-4-4, EN-61000-4-5, EN-61000-4-6, EN-61000-4-8,
EN-61000-4-11
BSMI CNS 13438 Class A
AS/NZS 3548 Class A
MIC Korea
Appendix A: Specifications 59
217016-A, November 2004
Category Compliance
Safety IEC 60950, with all NCB Member Differences

UL 60950
CSA 22.2 No. 60950
CE EN 60950
IEC 60950 Argentina
NOM Mexico
IEC 60825-1
217016-A, November 2004
Firewall Accelerator 6600 and 6400

The following describes the specifications, standards, and certifications for the Firewall Accel-
erator 6600 and 6400.
Physical Dimensions
Model width Height Depth Weight

Firewall Accelerator 17.3 inches 1.75 inches 20.0 inches 9.53 kgs
6600 and 6400 (440.0 mm) (437.5 mm) (508.0 mm) (21.0 lbs)
Power Requirements
Specification Measurement
Auto-ranging power supply 100-240 VAC @ 3.5 Amps, 50-60 Hz
Maximum power consumption 250 Watts
Typical power consumption 110 Watts
Supported Standards
Logical Link Control (IEEE 802.2)
10Base-T/100Base-TX (IEEE 802.3, 802.3u)
1000Base-SX (IEEE 802.3z)
Flow Control (IEEE 802.3x)
Link Negotiation (IEEE 802.3z)
Frame Tagging (IEEE 802.1Q) on all ports when VLANs are enabled
SNMP support: RFC 1213 MIB-II, RFC 1493 Bridge MIB, RFC 1398 Ethernet-like MIB,
RFC 1757 RMON1 (groups 1-4), and RFC 1573 Interface Extensions MIB compliant.
Alteon Enterprise MIB supporting the configuration and monitoring of all Alteon specific
features
217016-A, November 2004
Port Specifications (ASF 6600 and ASF 6400)
Port Connector Media Maximum Distance

10Base-T RJ-45 UTP Cat. 3, 4, or 5 100 meters (325 feet)
100Base-TX RJ-45 UTP Cat. 5 100 meters (325 feet)
Console (DCE) Female DB-9 RS-232C (serial) 25 meters (82 feet)
SFP GBIC LC Multi Mode Depends upon the GBIC
Single Mode
10/100/ RJ-45 Cat 5e or Cat 6 cable is 100 meters (325 feet)
1000BaseT recommended. The
cabling must meet
ANSI/TIA/EIA-568-
A-1995 as a minimum.
Environmental Specifications
Condition Operating Specification Storage Specification

Temperature 0° to 40° C (+32° to +104° F) –40° to 85° C (–13° to 185° F)
Relative humidity 85% maximum, non-condensing 95% maximum, non-condensing
96 hrs. @40°, 85% 96 hrs. @40°, 90-95%
Altitude up to 3,024 meters (10,000 feet) up to 10,750 meters (35,000 feet)
Thermal Shock –40° to 85° C (–13° to 185° F) –40° C to room temperature in less
than 5 minutes.
85° C to room temperature in less
than 5 minutes.
Vibration, peak to peak 0.005 in. max (5 to 32 Hz) 0.1 in. max (5 to 17 Hz)
displacement
Vibration, peak 0.25g (5 to 500 Hz) 0.25g (5 to 500 Hz)
acceleration (Sweep Rate = 1 octave/minute) (Sweep Rate = 1 octave/minute)
217016-A, November 2004
Mechanical Specifications
Unpackaged Operation Standard Specification Note

Requirements
Operational Vibration (Sinuso- ETS 300 019-1-3 and IEC 68-2-6 Shock of low significance. For
idal) Test Fc example, slamming of doors.
3-200Hz at 0.2g peak sweep
rate 1 oct/min for 20 sweeps.
Equal to 2.15 hours, applied to
3 mutually perpendicular axis,
for a 6.75 hours total
Shock IEC 68-2-27 Shock of low significance
30g 11ms
Certifications
Category Compliance
EMC CISPR22, CISPR24
FCC CFR 47, Part 15, Class A
VCCI, Class A
ICES, Class A
CE EN-55022, EN-55024, EN-61000-3-2, EN-61000-3-3, EN-61000-4-2,
EN-61000-4-3, EN-61000-4-4, EN-61000-4-5, EN-61000-4-6, EN-61000-4-8,
EN-61000-4-11
BSMI CNS 13438 Class A
AS/NZS 3548 Class A
MIC Korea
Safety IEC 60950, with all NCB Member Differences
UL 60950
CSA 22.2 No. 60950
EN 60950
IEC 60825-1
217016-A, November 2004
217016-A, November 2004
Index
A Firewall Director 5014

features ........................................................ 20
attaching the bezel ............................................... 22 front panel .................................................... 23
installing ...................................................... 26
C models available ........................................... 19
cable specifications.............................................. 49 rear panel ..................................................... 23
certifications ....................................................... 59
connect I
via console ................................................... 30 installing the switch ............................................. 41
connecting network cables.............................. 45, 47
connectors
director terminal pin assignments .................... 31 L
console connection ........................................ 30, 51 Link LED............................................................ 53
console port ........................................................ 38
M
D messages
data enforcement ports ................................... 45, 47 temperature sensor ........................................ 54
dual-mode ports .................................................. 37 mounting
ASF 5014..................................................... 26
E ASF 6600 and 6400 ....................................... 41
equipment rack ....................................... 26, 41
enforcement ports .......................................... 45, 47
environmental specifications ................................ 59
error messages .............................................. 53, 54 N
NAAP ports .................................................. 45, 47
F
feature summary P
hardware...................................................... 20 physical description
Firewall Accelerator 6400 ASF 5014..................................................... 58
connecting network cables ....................... 45, 47 ASF 6600 and 6400 ....................................... 34
features........................................................ 34 physical dimensions
Firewall Accelerator 6600 ASF 6600 and 6400 ....................................... 61
connecting network cables ............................. 45 pin assignments
features........................................................ 34 director ........................................................ 31
Firewall Accelerator 6600 and 6400
installing ...................................................... 40
65
217016-A, November 2004
port specifications removing the bezel .............................................. 22

ASF 5014 .....................................................58
ASF 6600 and 6400 .................................35, 62 S
ports
console .........................................................38 serial cable connection ................................... 31, 51
data enforcement, default ................................38 specifications
dual-mode ....................................................37 5014 ............................................................ 58
NAAP ....................................................45, 47 6600 and 6400 .............................................. 61
RJ-45 ...........................................................35
serial ............................................................38 T
power requirements
temperature sensor error message .......................... 54
ASF 5014 .....................................................58
terminal
ASF 6600 and 6400 .......................................61
connecting to director .................................... 31
connecting to switch ...................................... 51
R troubleshooting ................................................... 53
rear panel ............................................................35
66 Index
217016-A, November 2004

Alteon

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Alteon

Caricato da

Copyright:

Formati disponibili

TM

Alteon Switched Firewall 4.0.2

part number: 217016-A, November 2004

4655 Great America Parkway

Originated in the USA.

This product includes software developed by Check Point Software Technologies

International regulatory statements of conformity

National electromagnetic compliance (EMC) statements of compliance

ICES statement (Canada only)

CE marking statement (Europe only)

This product conforms to the provisions of the R&TTE Directive 1999/5/EC.

VCCI statement (Japan/Nippon only)

BSMI statement (Taiwan only)

MIC notice (Republic of Korea only)

National safety statements of compliance

CE marking statement (Europe only)

(Danmark) ADVARSEL! Litiumbatteri - Eksplosionsfare ved fejlagtig håndtering. Udskiftning må kun

NOM statement (Mexico only)

Importer:Nortel Networks de México, S.A. de C.V.

Tel:52 5 480 2100

Fax: 52 5 480 2199

Input:100 to 240 VAC, 50 to 60 Hz, 9 A max. per power supply

Información NOM (unicamente para México)

Importador: Nortel Networks de México, S.A. de C.V.

Tel: 52 5 480 2100

Fax:52 5 480 2199

Embarcar a:100 to 240 V CA, 50 to 60 Hz, 9 A max. por fuente de poder

Product Name & Platform Changes

Who Should Use This Book

How This Book Is Organized

Appendix A, “Specifications,” describes the supported standards, port specifications, physi-

How to Get Help

Technical Solutions Center Telephone

Europe, Middle East, and Africa 00800 8008 9009

North America (800) 4NORTEL or (800) 466-7835

Asia Pacific (61) (2) 8870-8800

China (800) 810-5000

 Supports Check Point™ FireWall-1® NG with

Figure 1-1 Classic Firewall versus the Alteon Switched Firewall

Each port of a Firewall Accelerator is connected to a high-capacity, multi-Gigabit back-

Figure 1-2 Alteon Switched Firewall Network Elements

Figure 1-3 ASF Components

1. Firewall Accelerator or Firewall Director

2. Rack Mount Kit

3. DB9 Male to DB9 Female Cable

4. North American Power Cord and European Power Cord

Firewall Models and Capacity

Table 1-1 Model Compatibility

Firewall Accelerator Firewall Director

6614 6600 5014

6414 6400 5014

Table 1-2 Firewall Accelerator Features

6600 12 4 Fast Ethernet ports 4 LC 500K

 “Hardware Features” on page 20

Table 2-1 Firewall Director Hardware Features

Firewall Director Features 5014

Port capacity  Two Fiber Gigabit with LC

Hard disk capacity 40 GB

Dimension/Chassis 1U, 19-inch rack-mount

Power supply Single

20  Chapter 2: Firewall Director

Amber System Status Indicator Reset Button Power LED

Table 2-2 Firewall Director 5014 Front Panel LEDs

Supports Check Point™ FireWall-1® NG with

“Hardware Features” on page 20

Port capacity Two Fiber Gigabit with LC

20 Chapter 2: Firewall Director

Chapter 2: Firewall Director 21

22 Chapter 2: Firewall Director

Chapter 2: Firewall Director 23

24 Chapter 2: Firewall Director

Chapter 2: Firewall Director 25

26 Chapter 2: Firewall Director

Chapter 2: Firewall Director 27

28 Chapter 2: Firewall Director

Chapter 2: Firewall Director 29

30 Chapter 2: Firewall Director

Chapter 2: Firewall Director 31

32 Chapter 2: Firewall Director

“Physical Description” on page 34

34 Chapter 3: Firewall Accelerator

ASF 6600 10/100/1000 Base-T copper ports 4 dual-modea ports

SFP GBIC (1000 Mbps) fiber ports

ASF 6400 24 FE (10/100 Mbps) ports none

4 SFP GBIC (1000 Mbps) ports